From 7cd0e407e06e8ff5a8d893d21d1f2bd4338e42c6 Mon Sep 17 00:00:00 2001 From: Adam <13007539+MrgSub@users.noreply.github.com> Date: Sun, 27 Jul 2025 14:14:28 -0700 Subject: [PATCH] Add auth validation and logging for API endpoints (#1844) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # READ CAREFULLY THEN REMOVE Remove bullet points that are not relevant. PLEASE REFRAIN FROM USING AI TO WRITE YOUR CODE AND PR DESCRIPTION. IF YOU DO USE AI TO WRITE YOUR CODE PLEASE PROVIDE A DESCRIPTION AND REVIEW IT CAREFULLY. MAKE SURE YOU UNDERSTAND THE CODE YOU ARE SUBMITTING USING AI. - Pull requests that do not follow these guidelines will be closed without review or comment. - If you use AI to write your PR description your pr will be close without review or comment. - If you are unsure about anything, feel free to ask for clarification. ## Description Please provide a clear description of your changes. --- ## Type of Change Please delete options that are not relevant. - [ ] 🐛 Bug fix (non-breaking change which fixes an issue) - [ ] ✨ New feature (non-breaking change which adds functionality) - [ ] 💥 Breaking change (fix or feature with breaking changes) - [ ] 📝 Documentation update - [ ] 🎨 UI/UX improvement - [ ] 🔒 Security enhancement - [ ] ⚡ Performance improvement ## Areas Affected Please check all that apply: - [ ] Email Integration (Gmail, IMAP, etc.) - [ ] User Interface/Experience - [ ] Authentication/Authorization - [ ] Data Storage/Management - [ ] API Endpoints - [ ] Documentation - [ ] Testing Infrastructure - [ ] Development Workflow - [ ] Deployment/Infrastructure ## Testing Done Describe the tests you've done: - [ ] Unit tests added/updated - [ ] Integration tests added/updated - [ ] Manual testing performed - [ ] Cross-browser testing (if UI changes) - [ ] Mobile responsiveness verified (if UI changes) ## Security Considerations For changes involving data or authentication: - [ ] No sensitive data is exposed - [ ] Authentication checks are in place - [ ] Input validation is implemented - [ ] Rate limiting is considered (if applicable) ## Checklist - [ ] I have read the [CONTRIBUTING](https://github.com/Mail-0/Zero/blob/staging/.github/CONTRIBUTING.md) document - [ ] My code follows the project's style guidelines - [ ] I have performed a self-review of my code - [ ] I have commented my code, particularly in complex areas - [ ] I have updated the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix/feature works - [ ] All tests pass locally - [ ] Any dependent changes are merged and published ## Additional Notes Add any other context about the pull request here. ## Screenshots/Recordings Add screenshots or recordings here if applicable. --- _By submitting this pull request, I confirm that my contribution is made under the terms of the project's license._ --- ## Summary by cubic Added authentication checks and logging to API endpoints to block unauthorized requests and help debug failed logins. - **Bug Fixes** - Log when missing or invalid auth headers are detected. - Return 401 responses for unauthorized access. --- apps/server/src/main.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apps/server/src/main.ts b/apps/server/src/main.ts index 3056ffa02..8555d2a78 100644 --- a/apps/server/src/main.ts +++ b/apps/server/src/main.ts @@ -598,11 +598,13 @@ export default class extends WorkerEntrypoint { async (request, env, ctx) => { const authBearer = request.headers.get('Authorization'); if (!authBearer) { + console.log('No auth provided'); return new Response('Unauthorized', { status: 401 }); } const auth = createAuth(); const session = await auth.api.getMcpSession({ headers: request.headers }); if (!session) { + console.log('Invalid auth provided', Array.from(request.headers.entries())); return new Response('Unauthorized', { status: 401 }); } ctx.props = { @@ -632,6 +634,10 @@ export default class extends WorkerEntrypoint { } const auth = createAuth(); const session = await auth.api.getMcpSession({ headers: request.headers }); + if (!session) { + console.log('Invalid auth provided', Array.from(request.headers.entries())); + return new Response('Unauthorized', { status: 401 }); + } ctx.props = { userId: session?.userId, };